Mandiant's 74-page report covers a particular hacking group referred to as "APT1" and contends that the group works for or under the direction of the Chinese government as part of the military's secretive "Unit 61398." The report ties a huge string of hacks over the last few years to Unit 61398 and goes on to show the building where the hacks might be hatched. The report is stuffed with detail uncommon in these types of stories, and even includes a translated Chinese document showing a local telecom company agreeing to Unit 61398's request for additional fiber optic connections in the name of state security.

The Mandiant researchers then tried to go one step further, putting at least a few real names to the coders involved. (BusinessWeek recently did something similar, with fascinating results.) Mandiant began with a malware coder who goes by the name "UglyGorilla"—a name which is left repeatedly in code tied to the APT1 group.

Back in 2007, for instance, Mandiant says that UglyGorilla "authored the first known sample of the MANITSME family of malware and, like any good artist, left his clearly identifiable signature in the code: 'v1.0 No Doubt to Hack You, Writed by UglyGorilla, 06/29/2007'[sic]." But despite all the uses of the name "UglyGorilla" buried in code samples, leads to the person's actual identity were hard to come by—until Anonymous hacked security firm HBGary Federal in early 2011.

A Unit 61398 building in Shanghai, from which the attacks allegedly emanate.

city8.com

Slip-ups?

When we spoke to the hackers involved in the 2011 attack, they explained how they had penetrated HBGary Federal e-mail accounts and moved from those to other systems. One of these was rootkit.com, a project run by HBGary's top technical mind, Greg Hoglund, an expert in the rootkit technology that lets malware evade easy detection on compromised computers. The Anonymous hackers used Hoglund's e-mail account to convince another rootkit.com administrator to reset the root password on the site's server to "changeme123." Once done, they entered the server and—among other things—dumped the entire list of user account and password hashes for rootkit.com, which had been hashed with the MD5 algorithm and proved susceptible to third-party password cracking tools. The cracked list was then publicly released.

This list was a boon to Mandiant because UglyGorilla was on it; he had signed up as "uglygorilla" and had used the password uglygorilla@163.com during registration. The password matched one that had been used by someone to register for a People's Liberation Army event back in 2004 and to register hugesoft.org, a domain long associated with the APT1 hacks.

The rootkit.com leak also included some IP address information on each account, and it showed that UglyGorilla had registered from 58.246.255.28, which came "directly" from the APT1 home range that Mandiant linked to Unit 61398 and to its base in the Pudong New Area of Shanghai. Further sleuthing of code uploaded to Chinese developer sites by UglyGorilla suggested that the man's name might be "Wang Dong" and that he might go as "Jack Wang" to English speakers.

The rootkit.com leak also played a role in naming a second man who goes by the handle SuperHard_M. "Once again, in tracking SH [SuperHard] we are fortunate to have access to the accounts disclosed from rootkit.com," say the Mandiant authors. SuperHard_M had also setup an account on rootkit.com, and his IP had also come from one of the "known APT1 egress ranges" used by the attackers. Even better, he had signed up with the e-mail address "mei_qiang_82@sohu.com." Mandiant researchers then searched Chinese sites for this address and found that it had been used to create various forum accounts in which Mei Qiang—the man's presumed name—described how he would "write Trojans for money" and discussed "his involvement with malicious Windows kernel research, and more recently, being local to Shanghai’s Pudong New Area."

None of this amounts to proof; at best, these are good educated guesses (and some onlookers remain skeptical). But if true, they're a reminder that even talented hackers slip up all the time in little ways that can eventually give them away. Indeed, this whole story is rife with slip-ups at HBGary Federal, at rootkit.com, and even among Anonymous. A year after the rootkit.com hack, nearly everyone involved had been arrested, with ringleader Sabu turned into a snitch by the FBI.

By leaving traces in their code and on sites like rootkit.com, hackers like UglyGorilla and SuperHard_M may have slipped up as well. Or not—one theory making the rounds among some security researchers contends that the hackers simply work with impunity in China and thus don't actually care that much about obscuring their identities.

73 Reader Comments

Ultimately, i think the US government is going to have to start suing or assisting affected parties in sue the Chinese government for these types of attacks. It seems (to me, anyway) that the Chinese aren't going to enforce any kind of international or US law with regard to hacking and definitely aren't going to simply stop their state sponsored espionage, so the only tool we really have left is to hit them in their pocketbook.

Ultimately, i think the US government is going to have to start suing or assisting affected parties in sue the Chinese government for these types of attacks. It seems (to me, anyway) that the Chinese aren't going to enforce any kind of international or US law with regard to hacking and definitely aren't going to simply stop their state sponsored espionage, so the only tool we really have left is to hit them in their pocketbook.

It's certainly an interesting idea. The Chinese government will never acknowledge these attacks, and they certainly would not pay if the US sued. But considering how much of the US debt is tied up in China, I wonder how easy it would be to say "we won't be paying you for that hack last week". I wonder if other nations that loan the US money would even mind the dissolution of US debt since it is punishment for a growing issue from China.

This seems like a national security issue. I wonder what the USGOVT is doing to mitigate these things. I'm sure we could find hundreds if not thhousands of suitable people to focus on defending against these attacks. I could totally see a bank of Air Force nerds sitting in rows like a NASA launch room fending off attacks circa Ghost in the Shell. Or maybe it's just cuz I love the manga/show.

I work in IT in the USAR and I mostly defend against people sneaking in flash drives and officers leaving their workstations unattended with their CACs still plugged in.

one theory making the rounds among some security researchers contends that the hackers simply work with impunity in China and thus don't actually care that much about obscuring their identities.

But the slip-up still puts the Chinese government in a difficult position. Now the US government can request to interrogate the two hackers. If the Chinese government is not involved, as they claim, they would allow it.

Ultimately, i think the US government is going to have to start suing or assisting affected parties in sue the Chinese government for these types of attacks. It seems (to me, anyway) that the Chinese aren't going to enforce any kind of international or US law with regard to hacking and definitely aren't going to simply stop their state sponsored espionage, so the only tool we really have left is to hit them in their pocketbook.

It's certainly an interesting idea. The Chinese government will never acknowledge these attacks, and they certainly would not pay if the US sued. But considering how much of the US debt is tied up in China, I wonder how easy it would be to say "we won't be paying you for that hack last week". I wonder if other nations that loan the US money would even mind the dissolution of US debt since it is punishment for a growing issue from China.

Well, that sounds great, but it might seriously hamper our future ability to borrow from China. Something that I understand we do frequently.

one theory making the rounds among some security researchers contends that the hackers simply work with impunity in China and thus don't actually care that much about obscuring their identities.

But the slip-up still puts the Chinese government in a difficult position. Now the US government can request to interrogate the two hackers. If the Chinese government is not involved, as they claim, they would allow it.

--B

Really? If roles were reversed do you think the US would agree to let the Chinese Govt question US citizens?

Ultimately, i think the US government is going to have to start suing or assisting affected parties in sue the Chinese government for these types of attacks. It seems (to me, anyway) that the Chinese aren't going to enforce any kind of international or US law with regard to hacking and definitely aren't going to simply stop their state sponsored espionage, so the only tool we really have left is to hit them in their pocketbook.

It's certainly an interesting idea. The Chinese government will never acknowledge these attacks, and they certainly would not pay if the US sued. But considering how much of the US debt is tied up in China, I wonder how easy it would be to say "we won't be paying you for that hack last week". I wonder if other nations that loan the US money would even mind the dissolution of US debt since it is punishment for a growing issue from China.

Well, that sounds great, but it might seriously hamper our future ability to borrow from China. Something that I understand we do frequently.

Not to mention the US also hacks other countries with impunity (Iran) and I would guess China and Russia. It might set a bad precedent, that can then be used against the US.

Ultimately, i think the US government is going to have to start suing or assisting affected parties in sue the Chinese government for these types of attacks. It seems (to me, anyway) that the Chinese aren't going to enforce any kind of international or US law with regard to hacking and definitely aren't going to simply stop their state sponsored espionage, so the only tool we really have left is to hit them in their pocketbook.

It's certainly an interesting idea. The Chinese government will never acknowledge these attacks, and they certainly would not pay if the US sued. But considering how much of the US debt is tied up in China, I wonder how easy it would be to say "we won't be paying you for that hack last week". I wonder if other nations that loan the US money would even mind the dissolution of US debt since it is punishment for a growing issue from China.

Well, that sounds great, but it might seriously hamper our future ability to borrow from China. Something that I understand we do frequently.

Maybe this?Doesn't seem like much more than hot air at the moment, though.

Agreed, why would China pay, the US couldn't make them (would the US Gov't pay if sued by a Chinese court).

re: Not paying debt (apologies in advance for a vast oversimplification that I'm not explaining very well) - The problem is that these debts are in the form of bonds guaranteed by the US government. As the dollar is not on the gold standard, it is only worth what people think it is worth (effectively based on their faith in the US Gov't). If there were any doubt that the US gov't may not honor the debt, the backing for all US gov't debt (and potentially the dollar as a whole) just disappeared.

re: US military hacking only vs. China's commercial hacks - while there could be an argument that the US does not sponsor any attacks for commercial purposes, if they were responsible for Flame/Stuxnet etc, they have already legitimized anyone who hacks to go after their infrastructure (and in this case, they appear to be looking, not damaging). If anything, the shift away from the commercial/IP hacks of the past to these critical systems shows a movement towards what the US has already decided is 'acceptable'.

Really? If roles were reversed do you think the US would agree to let the Chinese Govt question US citizens?

Of course they wouldn't. But it would still put the US gov in a difficult position, basically allowing the Chinese government to say "see? see? The US protects hackers!".

For the record, I don't expect the Chinese to allow interrogation of the two hackers.

--B

I suspect the Chinese government is a lot like the US government in that regard: they protect the hackers who work for them; freelancers with even a shred of dignity get shafted, since we can't have an unknown actor out there causing trouble for everyone: it's against the rules, you see.

I would not be surprised if the names were found using other means and the Anonymous story is being used as a cover. There seems to be more detail than needed as if to convince the Chinese of how their identities were blown.

The Zimmerman telegram (1917) was intercepted and decoded by the British. They had a problem of making a plausible cover story about how they got it before they passed the text to the US. The cover story was a theft in Mexico and they discovered this decoded message in the papers. The Germans fell for the story as did most people because it seemed very plausible given the situation in Mexico at the time (in the middle of a civil war).

The US has clearly stated that it doesn't want a nuclear armed Iran and has a fair amount of international support on a whole host of diplomatic initiatives to achieve that goal. So to say Stuxnet is equivalent to these chinese hacking activities is quite an overstatement. Now if the PRC admitted that its state policy was economic theft and somehow had international support in that endeavor, then you might say those activities were equivalent.

one theory making the rounds among some security researchers contends that the hackers simply work with impunity in China and thus don't actually care that much about obscuring their identities.

But the slip-up still puts the Chinese government in a difficult position. Now the US government can request to interrogate the two hackers. If the Chinese government is not involved, as they claim, they would allow it.

--B

Or the two hackers will have fatal "accidents" on the way to work. This works if the Chinese government wants to silence them, or simply move them to a hidden (ala witness protection) facility, new names etc.

Sooo.... you wrote an article about one group of hackers exposing another group of hackers and somehow you're glorifying this ?

Demonicume wrote:

I work in IT in the USAR and I mostly defend against people sneaking in flash drives and officers leaving their workstations unattended with their CACs still plugged in.

You must have some security clearance/ authority or something. As I also am in IT and I don't have any authority to stop someone from coming and going w/ flash drives. If I suspect something I alert my supervisor and security and they handle it.

As for the workstations - ALL modern OSes come equipped with logout timers built in - set a timer (and don't give them admin access). Unless the Reserves are still using 20 year old software (which they very well could be) then your IT responsibilites are an uphill battle on a good day.

China will never pay, as they would be admitting to it and there is always the risk of import ban threats, tariffs, yada, yada as a political response. It's more likely that there are efforts to ID the 'assets' physical locations and take direct action against them. Both of these individuals have likely committed or aided others in committing acts that make them national security threats. I wouldn't want to be either of the two individuals mentioned because it's likely they are now considered targets, loose ends. or both...

Agreed, why would China pay, the US couldn't make them (would the US Gov't pay if sued by a Chinese court).

re: Not paying debt (apologies in advance for a vast oversimplification that I'm not explaining very well) - The problem is that these debts are in the form of bonds guaranteed by the US government. As the dollar is not on the gold standard, it is only worth what people think it is worth (effectively based on their faith in the US Gov't). If there were any doubt that the US gov't may not honor the debt, the backing for all US gov't debt (and potentially the dollar as a whole) just disappeared.

Typically, what is done is you put a lien against / seize assets from the target country. I dont know if it ever happened, but when Venezuela nationalized a bunch of oil fields, there was talk of seizing a bunch of Citgo assets to pay for what they took.

China would be the same way, they own enough foreign assets and do enough international banking that you can simply put a lien on that and not have to deal with US treasuries.

And even if the US did say "we will revoke US bonds that you hold to pay for your court losses" i dont think that would seriously disrupt the world financial system. Every country that participates in the global marketplace understands that you have to follow at least some rules and if you dont you are going to have to pay some fines at a minimum. Now, the level of respect for those rules varies quite a bit from country to country, with the US in no way being the most respectful, but everyone knows that if you totally ignore the whole system, eventually you will suffer far more than if you just pay up.

Well, that sounds great, but it might seriously hamper our future ability to borrow from China. Something that I understand we do frequently.

Only problem with this line of thought is that currently if China cuts the US off from commerce and trade - China will tank. Their economy (as is most of the rest of the world) is directly tied to US funds. OR have you not been paying attention to current events for the past 4± years ?

Ultimately, i think the US government is going to have to start suing or assisting affected parties in sue the Chinese government for these types of attacks. It seems (to me, anyway) that the Chinese aren't going to enforce any kind of international or US law with regard to hacking and definitely aren't going to simply stop their state sponsored espionage, so the only tool we really have left is to hit them in their pocketbook.

It's certainly an interesting idea. The Chinese government will never acknowledge these attacks, and they certainly would not pay if the US sued. But considering how much of the US debt is tied up in China, I wonder how easy it would be to say "we won't be paying you for that hack last week". I wonder if other nations that loan the US money would even mind the dissolution of US debt since it is punishment for a growing issue from China.

We could also threaten to declare war. No, I'm not some random malcontent (I think we've had enough war for quite awhile) but the state dept said, repeatedly, that they would consider any state-sponsored cyber attack as an act of war. It's really stupid to make empty threats like that - either change the official policy or act on it. I will say, military power is one thing the US still has on China. Besides, do debts really matter if you conquer your creditors? (And no, I'm not serious).

Or, we can continue this cat and mouse game where teams from both countries take turns hacking the other. Seems the more likely scenario for the immediate future.

China owns a lot of US debt, yes. Still, it would surprise many to know that the total is only about 8%.

As others have stated, the problem with withholding payments to China is that China did not loan the US money. China bought public debt, meaning that it's very difficult to simply withhold payment to China while paying everyone else.

Actually it's quite the other way around.. American corporations need to expand into China, not out of it. Otherwise their growth potential will be limited and their stock values will tank... a good example would be Apple...

ars' comment voting system is a failure. Mydrrin has 13 down votes and not one reply as to why this person deserves so many down votes. meanwhile, a culturally insensitive, unimaginative, penis joke has over 16 up votes. do better.

The US has clearly stated that it doesn't want a nuclear armed Iran and has a fair amount of international support on a whole host of diplomatic initiatives to achieve that goal. So to say Stuxnet is equivalent to these chinese hacking activities is quite an overstatement. Now if the PRC admitted that its state policy was economic theft and somehow had international support in that endeavor, then you might say those activities were equivalent.

mister, do you realise that Stuxnet also infects other computers that has nothing to do with Iran nuclear program? at least the Chinese pick their targets and leave us civilians alone. I still remembered the day when i got back from my 2 months office leave and found 100+ of our workstations infested with Stuxnet trying to crash our nuclear program. it aint funny mister, but i did not cry foul. Do not want to get hacked? unplug it! as simple as that. US of A can only hit back, nothing more. Now excuse my English.

Ultimately, i think the US government is going to have to start suing or assisting affected parties in sue the Chinese government for these types of attacks. It seems (to me, anyway) that the Chinese aren't going to enforce any kind of international or US law with regard to hacking and definitely aren't going to simply stop their state sponsored espionage, so the only tool we really have left is to hit them in their pocketbook.

It's certainly an interesting idea. The Chinese government will never acknowledge these attacks, and they certainly would not pay if the US sued. But considering how much of the US debt is tied up in China, I wonder how easy it would be to say "we won't be paying you for that hack last week". I wonder if other nations that loan the US money would even mind the dissolution of US debt since it is punishment for a growing issue from China.

Well, that sounds great, but it might seriously hamper our future ability to borrow from China. Something that I understand we do frequently.

Not to mention the US also hacks other countries with impunity (Iran) and I would guess China and Russia. It might set a bad precedent, that can then be used against the US.

There is a critical difference. The US is hacking enemy countries for self defense. China is hacking US (and other) corporations for monetary gain. The corporations have technology China wants, so they steal it. I'm not necessarily supporting US cyber attacks on Iranian nuclear facilities, but these are clearly apples and oranges.

Only problem with this line of thought is that currently if China cuts the US off from commerce and trade - China will tank. Their economy (as is most of the rest of the world) is directly tied to US funds. OR have you not been paying attention to current events for the past 4± years ?

Exactly. The more US debt they own, the better for us (up to a point, of course), because it makes them invested in our success. At this point cutting off ties would hurt them a lot more than it would hurt us. That's why this kind of cyber shadow war is likely to continue for a while, yet actual infrastructure attacks (from China) are not very likely. They want to be rich and successful and powerful, and getting in a direct conflict with us is pretty guaranteed to screw that up.

Ultimately, i think the US government is going to have to start suing or assisting affected parties in sue the Chinese government for these types of attacks. It seems (to me, anyway) that the Chinese aren't going to enforce any kind of international or US law with regard to hacking and definitely aren't going to simply stop their state sponsored espionage, so the only tool we really have left is to hit them in their pocketbook.

It's certainly an interesting idea. The Chinese government will never acknowledge these attacks, and they certainly would not pay if the US sued. But considering how much of the US debt is tied up in China, I wonder how easy it would be to say "we won't be paying you for that hack last week". I wonder if other nations that loan the US money would even mind the dissolution of US debt since it is punishment for a growing issue from China.

Well, that sounds great, but it might seriously hamper our future ability to borrow from China. Something that I understand we do frequently.

Not to mention the US also hacks other countries with impunity (Iran) and I would guess China and Russia. It might set a bad precedent, that can then be used against the US.

There is a critical difference. The US is hacking enemy countries for self defense. China is hacking US (and other) corporations for monetary gain. The corporations have technology China wants, so they steal it. I'm not necessarily supporting US cyber attacks on Iranian nuclear facilities, but these are clearly apples and oranges.

The link to Chinese government is tenuous. US does it for patriotic reasons? Really. Who can wave the flag the hardest. It's the formal authorization of hacking that is allowed. No wrongdoing? Escalation on very tenuous information. The preemptive nature, it is a state declaration. You don't see any problem with this?

US is at war with Iran, I didn't know this? The executive is taking on war making powers.

By linking this with state sponsoring is something serious and should expect more evidence than this and pushing media hysteria. It is propaganda piece to justify the executive taking on more war making powers. The information relevance and accuracy does not matter, it is a propaganda piece.

one theory making the rounds among some security researchers contends that the hackers simply work with impunity in China and thus don't actually care that much about obscuring their identities.

But the slip-up still puts the Chinese government in a difficult position. Now the US government can request to interrogate the two hackers. If the Chinese government is not involved, as they claim, they would allow it.

--B

Really? If roles were reversed do you think the US would agree to let the Chinese Govt question US citizens?

The point is trying to get China to punish hacking as is done in most western countries. Some countries actually do extradite hackers to the US for prosecution or try them there for hacking if they have laws against this sort of activity.